Metadata Keywords

Metadata keywords have no immediate effect on rule matching. However, they affect reporting when a rule matches.

msg

The keyword msg contains textual information about the signature and the possible alert.

The format of msg is:

msg: "some description";

Examples:

msg:"ATTACK-RESPONSES 403 Forbidden";
msg:"ET EXPLOIT SMB-DS DCERPC PnP bind attempt";

Note

The following characters must be escaped inside the msg: ; \ "

sid

The keyword sid (signature ID) assigns an ID to every signature. This ID is given with a number. The format of sid is:

sid:123;

rev

rev represents the version of the signature. Each time a signature is updated, rev ought to be incremented. Its format is:

rev:123;

classtype

The classtype keyword provides information on the classification of rules and alerts. It consists of a short name which can be translated as a priority for reporting purposes.

This example reports a hit of class “trojan-activity”:

drop tcp any any -> any any (msg:"classtype example"; content:"placeholder"; \
classtype:trojan-activity; sid:1; rev:1;)

Tip

It is a convention that classtype comes before sid and rev and after the rest of the keywords.

reference

The reference keyword provides additional information on the purpose of the rule and the attack it detects. reference can appear multiple times in a signature. This keyword is meant for signature writers and analysts who investigate why a signature has matched.

It has the following format:

reference: type, reference

For example, a typical reference to www.genua.de would be:

reference: url, www.genua.de

In addition, there are also several systems that can be used as a reference. A commonly known example is the CVE-database that assigns numbers to vulnerabilities. You can refer to it as follows, for example:

reference: cve, CVE-2014-1234

This creates a reference to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1234.

priority

Note

cognitix Threat Defender does not support this keyword.

metadata

With the metadata keyword, additional, non-functional information can be added to the signature. The format is:

metadata: key value;
metadata: key value, key value;

The metadata keyword is often used to code the signature creation created_at and last update timestamp updated_at.

Example:

metadata:created_at 2010_09_23, updated_at 2010_09_23;